Updated 1:48 pm EDT, Monday, September 10
After months of relative quiet following the news that a legendary hacker had been arrested and turned coat, someone claiming to be affiliated with the loose-knit hacktivist collective Anonymous on late Monday posted several files online containing the unique device identifying numbers, or UDIDs, of some one million Apple iPhones, iPads and iPod Touches, allegedly obtained from a hacked FBI agent’s laptop.
The hackers said in a statement that the UDIDs published online were stripped of identifying information, but that they were just part of a total 12.3 million UDIDs that were contained in a file on the FBI agent’s computer.
The files, which appear to be legitimate, were posted in an encrypted form on several downloading websites and linked to in a manifesto published by the self-described hackers on the website Pastebin, often used by Anonymous and its offshoots.
The Anonymous manifesto is as lengthy as it is political. It rails against NSA director General Keith Alexander, Sony and Gawker reporter Adrien Chien, suggests that governments and law enforcement agencies murdered other hackers and covered-up the killings, and claims that other information was stored by the FBI agent’s computer, including:
“…User names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.”
Apple could not be reached for comment at the time of this article’s publication, but the FBI responded hours afterwards on Tuesday evening, see this article’s first update at the bottom.
Wherever the one million UDID files came from, their legitimacy is a significant privacy concern, according to several security researchers and Apple developers. Several developers have released simple online tools allowing consumers to check their UDIDs against those posted by the self-described hackers, but the forms are not secure and could expose UDIDs further to the Web.
UDID, which stands for Unique Device Identifier, is a long series of digits ascribed to each Apple mobile device that can be accessed by third-party apps, if a user grants permission, and which advertisers and app-makers can and have often used to track an Apple mobile device’s activities — from surfing the Web to which apps and ads are clicked and when.
Apple in late March began rejecting new applications submitted to its App Store which accessed UDIDs, a change the company had actually warned applications developers about back in 2011. Because advertisers rely on this standard to track ad effectiveness, companies have been scrambling to develop new standards.
Still, many apps previously accepted into Apple’s App Store track user devices through the UDID or interact with it in other ways, leading New Zealand security researcher and persistent UDID critic Aldo Cortesi to call the release of the one million UDIDs on Monday a “privacy catastrophe.”
As Cortesi has previously demonstrated, one app allowed hackers to link a UDID to “a user’s identity, geolocation and Facebook and Twitter accounts,” and “completely take over” the app, giving a hacker “access [to] chat, forums, friends lists, and more using just a UDID.”
On Twitter, Cortesi further said that the publication of the one million UDIDs without personally identifying information along side them was not effective protection from matching UDIDs to real-life identities, writing: “All of the UDID vulnerabilities I’ve described require only a UDID, with no added information.”
If the UDIDs were found on an FBI agent’s computer as claimed by the Anonymous note, it is still unclear how they got there in the first place.
The name of the file that Anonymous said contained the UDIDs on the FBI agent’s computer could be a clue: It was allegedly named “NCFTA_iOS_devices_intel.csv,” a comma separated values file that can be opened by spreadsheet programs like Excel.
“iOS devices,” clearly references Apple’s mobile operating system, iOS, while “NCFTA” may be a reference to the National Cyber-Forensics and Training Alliance, a “non-profit” corporation created in 1997 by the FBI and Carnegie Melon’s Computer Emergency Response Team (CERT), with the goal of fighting cyber crime.
Third-party Apple app developer Marco Arment, creator of Instapaper, pointed out on his personal blog that there is an iPhone app affiliated with the NCFTA that may have played a role in collecting the UDIDs allegedly found on the FBI agent’s computer: The AllClear ID app, a free identity theft protection application designed by an Austin, Texas-based firm of the same name, which announced a partnership with the NCFTA in March. The app is supposed to alert users when any of their personal information is discovered stolen by one of the NCFTA member organizations.
The NCFTA did not respond to requests for comment in time for this article’s publication. AllClear ID responded to TPM below unequivocally denying any role in this incident as well as denying it ever collected any UDIDs in the first place.
Late updates: The FBI late Tuesday provided a longer statement to reporters, first published by Gizmodo, denying that the hacked UDIDs came from an FBI laptop or that the agency even wanted UDID data in the first place.
The full FBI line, which was also emailed to TPM, reads as follows:
“The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”
Meanwhile, an AllClear ID spokesperson provided TPM the following statement with regards to the possibility that its app could have been used to obtain the UDID data from user devices:
“We have no reason to believe that this incident is linked to AllClear ID, but out of an abundance of caution, we are looking into it and we will get back to you regarding your questions as soon as we have more information to share.”
Later update: The Twitter account ascribed to Anonymous that originally posted the link to the files and the manifesto has countered the FBI response. As @AnonymousIRC tweeted Tuesday afternoon: “Actually they are merely saying that they have no evidence for that. Did anyone expect anything else? We have no reason to lie.”
Even later update: AllClear ID’s spokesperson late Tuesday firmly denied the entirety of the suspicions that its app played any role in the incident. As the spokesperson told TPM:
“AllClear ID does not collect, nor has it ever collected, UDIDs. This incident is not linked to AllClear ID… The AllClear ID app is owned and maintained by AllClear ID, a privately held company. The app is not affiliated with the NCFTA…AllClear ID’s role is to alert consumers quickly and securely if their personal information is reported stolen, so consumers can take immediate action to protect themselves. AllClear does not share any personally identifiable information with the NCFTA. ”
Another late update: Florida-based app publishing company BlueToad, Inc., has admitted to being the original source that collected the UDID information and suffered a hack on its systems that involved the theft of that data.
It’s still unclear at this time, what, if any connection, the FBI may have add to the data. BlueToad has said that it did not provide the FBI with the data but is not sure if it had access to it through another channel. More here.
